Vulnerability Disclosure Policy
Introduction
This document is Chintai's Vulnerability Disclosure Policy ("Policy"). It reflects our commitment to working with the security research community to protect our platform and customers.
Scope
This policy applies to all subdomains of http://chintai.io and http://chintainexus.com.
Responsible disclosure guideline
Disclose vulnerabilities confidentially to Chintai before any public disclosure.
Include sufficient technical detail for evaluation and reproduction.
Do not publish findings without Chintai's explicit written consent.
Only test against your own accounts or designated test accounts. Do not access, modify, or retain end-user data.
If you encounter end-user data, notify Chintai immediately. Do not view, alter, save, store, transfer, or otherwise access the data, and delete any local copies immediately.
Act in good faith. Do not disrupt services, destroy data, or violate applicable law.
Chintai will not negotiate under duress, threat of disclosure, or threat of data exposure.
Reporting a security vulnerability
Send reports to security@chintai.io. To be considered for a monetary reward, your report must include:
Technical description of the vulnerability.
Step-by-step reproduction instructions and/or proof-of-concept (PoC) code.
Business impact analysis: not merely "SQLi exists", but "an attacker can X, which leads to Y impact on users/platform/funds".
Reward structure
Rewards reflect the human effort, creativity, and business risk demonstrated in the report. Automated scanner output, theoretical findings, or reports lacking business impact analysis are not eligible for monetary reward.
Severity | Reward | Requirements/Notes |
|---|---|---|
Critical | Up to $3,000 | Requires working PoC. Amount determined by demonstrated business impact. |
High (business logic / chain attacks) | Up to $1,500 | Complex multi-step or chained vulnerabilities with clear impact. |
High (scanner-detectable) | Up to $500 | Basic SQLi, XSS, etc. with confirmed impact. Must include impact analysis. |
Medium / Low / Informational | No reward | Recognition only. |
Reward amounts are indicative and subject to Chintai's discretion. Only the first reporter of a given vulnerability qualifies. Employees, contractors, subsidiaries, and service providers are not eligible.
Non-eligible findings
The following will not receive monetary rewards:
Generic scanner output without context
AI-generated reports without exploitation PoC
Theoretical attacks without working PoC
Missing best practices (e.g., CSP headers, security.txt) without exploitation PoC
Outdated libraries without exploitation PoC
Lack of HTTPS on non-sensitive endpoints or non-production environments
SPF / DMARC / DKIM misconfigurations that don’t lead to spoofing or abuse in real-world scenarios
Rate limiting bypasses with no demonstrated impact
Clickjacking without security impact
Non-sensitive information disclosure
Self-XSS (where the attacker tricks themselves)
DoS / DDoS attacks
Physical access or highly unlikely social engineering
Medium / Low / Informational severity
Report quality requirements
To qualify for monetary reward, reports must demonstrate:
Impact, not just existence: explain what an attacker can actually do and what the consequence is for users, funds, or platform integrity.
Working proof-of-concept: critical findings require a reproducible PoC. Scanner screenshots alone are not sufficient.
Reproduction steps: detailed, sequential steps enabling Chintai's security team to reproduce the issue independently.
Scope confirmation: the affected asset must be within the defined scope.
Severity determination
Severity is assessed based on impact to confidentiality, integrity, and availability of the Chintai platform.
Critical
System-wide compromise affecting multiple users or core functionality; mass account takeover; unrestricted access to sensitive user data; full authentication bypass; administrative privilege escalation with complete system control; smart contract exploits with financial impact.
High
Individual account takeover or impersonation; bypass of authorization controls exposing sensitive user data; admin-level actions without full administrative control; business logic flaws with direct financial or data impact.
Medium
Limited unauthorized actions on behalf of another user without immediate financial impact; exposure of non-sensitive metadata; user redirection without knowledge. No monetary reward.
Low / Informational
Browser-based weaknesses requiring user interaction; minor UI manipulation; theoretical issues without exploitation path. No monetary reward.
Disclosure process
Chintai will acknowledge receipt and begin evaluation upon submission.
We will collaborate with the reporter to validate findings, request additional detail, and provide updates.
All information is handled confidentially with limited internal distribution. Reporters must maintain confidentiality until remediation is complete.
Once resolved, Chintai will notify the reporter and may seek validation of the fix. Severity rating, timeline, and disclosure plans will be shared in good faith.